Mino – The UC Guy

Microsoft Unified Communications Blog

Single certificate for OCS/Exchange/ISA usage

Posted by Mino on July 7, 2009

Any Post starting with this disclaimer means that this post was not written by me however I have liked it and added to my blog. I am also including the link to the original or similar post to provide credit to the original author.

http://www.unifysquare.com/blog/post/Single-certificate-for-OCSExchange-firewall-usage.aspx

Internal certificates work wonders for your Active Directory Domain Services members. For Unified Communications, where OCS and Exchange are going to be using the same ISA 2006 server as the firewall, utilizing a Subject Alternative Name (SAN) certificate for your edge configuration and your ISA configuration can save you time, management hassles, and possibly provide cost savings as well. For internal servers, an internal PKI is just fine, but for the public interface of your system, you should most likely be looking at using a public-sourced key such as Go-Daddy, Thawte, DigiCert, etc. OCS Federation, remote users, and Public Instant Messaging Connectivity (PIC) demand public certificates.

The following table shows the SAN names needed on a certificate to support the base OCS and Exchange functions on ISA 2006 – and I imagine that this certificate construction will work just fine on many other firewalls as well. The table comes from my test domain; you should replace my test domain with your own domain name.

Obtain a public SAN (UCC) certificate from your favorite provider, import the certificate into your OCS Edge server and your ISA server computer account Trusted Root Certificate store and then you can use one certificate for all these uses. This approach leaves you with only the one certificate to manage and renew, or, if life treats you badly, move to a new server.

 

 

SAN Name

Usage

Notes

1

SIP.domain.com

OCS Edge Server

IM, Presence, Federation, PIC

2

webconf.domain.com

OCS Edge Server

Web Conferencing

3

AV.domain.com

OCS Edge Server

A/V

4

revproxy.domain.com

ISA Reverse Proxy

Web Components

5

CWA.domain.com

ISA Web Listener

Communicator Web Access

6

DOWNLOAD.CWA.domain.com

ISA Web Listener

CNAME for CWA desktop sharing

7

AS.CWA.domain.com

ISA Web Listener

CNAME for CWA desktop sharing

8

MAIL.domain.com

ISA publisher

Outlook Anywhere, OWA, POP, IMAP

9

AUTODISCOVER.domain.com

ISA Web Listener

Autodiscover for outlook and OCS.

Advertisements

10 Responses to “Single certificate for OCS/Exchange/ISA usage”

  1. richard said

    Hi Mino, just a quick question: didnt you notice issues with such a common certificate used by many services on many different machines?

    I mean on edge server, the OCS picks up automatically the FQDN from the certificate SN attribute, and simply ignores SAN attributes. So, the external FQDN for OCS services becomes the name that is visible in the certificate as SN. That is a serious problem, if OCS fqdns are in the SAN list, and not in the SN. In your example, you did not specify what was included as SN, but I assume in this scenario, the problem may appear also.

  2. Mino said

    Yes i totaly understand what you mean and thats why UCC certificate vendors give you Administration page on their website which gives you the option to reorder the names to chose from which of the SAN names would you like to have as your common name …then you can regenerate and download the certificate.
    this is all free of of charge and you can do it as many times as you want.

    I hope that answers your questions.

  3. richard said

    Regenerating the certificate results a brand new certificate in terms of new thumbprint, private key, publc key?

  4. Mino said

    no no , just re-ordering of the names with the same thumbprint, private key and public key.

    take a look at DigiCert site below and see more information
    http://www.digicert.com/unified-communications-ssl-tls.htm

  5. Scott said

    Is there any problem with using a wildcard certificate?
    Our company currently uses one for most of our external addresses.

    Right now I’m only setting up an Edge server for testing purposes. The biggest problem I’m having is getting my certs straightened out. Very confusing. So at this point I’m unable to connect to the Edge server from an external client.

    Thanks

  6. Mino said

    Dear Scott,

    I believe WildCard Certificate is not supported for OCS Edge and will not work when you try to use it because if you checked the certifcate SN u will find it named as *.yourdmain.com , however the Edge Configuration will be looking for the FQDN of the service name in the certificate . For example sip.yourdomain.com and Webconf.yourdomain.com and AV.yourdomain.com

    so that’s why Wild Card will not work

  7. Test said

    Mino,
    how would you place the Common name of the certificate with the SAN, since we need to match the common name with the first name of the SAN for the ISA publishing?

  8. Mino said

    if you purchase the certificate from Digicert then you can add, remove, or edit the names in your UC Certificate at any time by creating a duplicate from the certificate after re-arranging the names as you need.

  9. Keosaki said

    Mino said:
    ========================
    Yes i totaly understand what you mean and thats why UCC certificate vendors give you Administration page on their website which gives you the option to reorder the names to chose from which of the SAN names would you like to have as your common name …then you can regenerate and download the certificate.
    this is all free of of charge and you can do it as many times as you want.
    =======================
    I have a small doubt, Is this a standard practice among all the certificate vendors??

    And,this may be a stupid question to ask,

    If we generate a new certificate by reordering the SAN names will the older certificate be invalid.

    Thank you and kind regards

  10. Mino said

    yes i totaly agree that it is not option for all vendors and yes i agree that if you create a new certificate it revokes the old one.
    but for other companies like DigiCert it gives you the option to create duplicate certificate of the orginal one without revoking the old one.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: